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Abstract 

o 

CN| ■ Over the last two decades, there has been an extensive study on logical formalisms 

^ I for specifying and verifying real-time systems. Temporal logics have been an important 

Mh. research subject within this direction. Although numerous logics have been introduced 

■^^ ' for the formal specification of real-time and complex systems, an up to date com- 

ly-v . prehensive analysis of these logics does not exist in the literature. In this paper we 

^v^ ' analyse real-time and probabilistic temporal logics which have been widely used in 

this field. We extrapolate the notions of decidability, axiomatizability, expressiveness, 
model checking, etc. for each logic analysed. We also provide a comparison of features 
of the temporal logics discussed. 



o 

o 



1 Introduction 



m 

^ I Temporal logics have been extensively used in the specification of various systems, such as 

^-^ ' real-time and control systems, for more than two decades. They provide a mathematical 

CSJ ■ foundation to formally analyse these systems. Many industrial applications and case studies 

proved the usability of temporal logics within this context. 

lO ■ 

^^ ' A system behaviour is usually described by a set of 'events', and their associated 'temporal 

^D . constraints'. Temporal logics allow us to express such a behaviour by means of 'logical for- 

mulas' [12j. In general, temporal logics have been introduced for specific types of problems. 
The general trade-off is between the complexity and simplicity. In certain applications 

^ . simple logics are preferred to the complex ones |12| . Complex logics are generally difficult 

H I to deal with practically. 

Numerous logics have been introduced for the formal specification of real-time and com- 
plex systems, and various aspects of logics have been studied. Some surveys [83l [H [121 EH] 
make a comprehensive analysis of specific logics. In this paper we outline main and recent 
developments in the field in a broad sense. Namely, we give an overview on most-known 
temporal logics introduced up to now. All these logics are different in terms of 'expressive- 
ness', 'order', 'time metric', 'temporal modalities', 'time model' and 'time structure'. They 
also have different capabilities for the specification and verification of real-time systems. 

In this paper we survey the following aspects: 'basic temporal framework', 'real-time' and 
'probability'. Real-time aspect of temporal logics is important to express timing require- 
ments of real-time systems. Probabilistic aspect is needed in order to reason about systems 
which include uncertainty and probabilistic assumptions. 

In the following we will analyse well-known real-time and probabilistic temporal logics. We 
will summarize important results on decidability, axiomatizability, expressiveness, model 
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checking, etc. for each logic analysed. We will also provide a comparison of features of the 
temporal logics discussed. 

Note that in some instances we think it is more convenient to refer to the original text for 
clarification purposes. In the following, we will use quotation marks to use the text from 
the original resources. 



2 Preliminarieqll 



We can classify temporal logics based on several criteria. The common dimensions are 
'propositional versus first-order', 'point-based versus interval-based', 'linear versus branch- 
ing', 'discrete versus continuous', etc |24 | llOSj I12j. Below we discuss the most important 
criteria to classify temporal logics. 

Point versus interval structures: There are two structure types to model time in a 
temporal logic: points (instants) and intervals. A point structure T can be represented 
as (T, <), where T is a nonempty time points, and < is a 'precedence' relation on T. 
Different temporal relationships can be described using different modal operators. Some 
logics include modal operators which can express quantification over time. However, a 
relationship between intervals is difficult to express using a point-based temporal logic |32) . 

Interval temporal logics are expressive, since these logics can express a relationship between 
two events, which are represented by intervals. Also, interval logics |95| [96l [78l [66l [76} l92l 
|43] have a simpler and neater syntax to define a relationship between intervals, which 
provides a higher level abstraction than a point-based logic when modeling a system. This 
makes interval logic formulas much simpler and more comprehensive than point-based logic 
formulas. 

Some of the known interval operators are meets, before, during [2], which denote the ordering 
of intervals; chop modality |104) . which denotes combining two intervals; and duration, 
which denotes a length of an interval [16] . 

Interval structures can be considered in two ways: (i) intervals are 'primitive' objects (ii) 
intervals are composed from points. [1031 [771 1106) consider intervals as primitive objects 
of time. 1 103] defines a 'period structure' as the tuple {Z, C, -^), where Z is a non-empty 
set of intervals, C is a sub-interval relation, and -< is a precedence relation. One particular 
problem of this approach is that theoretical analyses are usually very difficult. Also, al- 
though it is very easy to define properties linearity, density, discreteness, unboundedness in 
a point-based logic, it is very difficult to define these properties in an interval logic where 
intervals are primitive objects. 

|381 H3l 1104) consider intervals as set of points, where the time flow is assumed as "a strict 
partial ordering of time points". Namely, an interval structure is defined as (7~,X(T)), 
where T = (T, <) is a strict partial ordering and X(T) is a set of intervals. The properties 
mentioned above can be defined in an interval logic where intervals are composed of time 
instants. 



^This section is taken verbatim from |60) . 



We conclude this section with the historical development of interval-based temporal logics. 
The concept of time intervals was first studied by Walker |107| . Walker considered a non- 
empty set of intervals, which is partially orderd. However, his work does not cover aspects 
of temporal logic in a general sense. In [44J philosophical aspects of an interval ontology 
was analysed. In |53| an interval tense logic was introduced. |23| [59| [93| [T5| 11021 l34l l99] 
studied interval logics within the natural language domain. It was argued that interval- 
based semantics are more convenient for human language and reasoning, and interval-based 
approach is more suitable than point-based approach for temporal constructions of natural 
language. [21 [3l [5lll] studied event relations and interval ordering. The authors introduced 
so-called Allen's thirteen interval relations and worked on axiomatisation and representation 
of interval structures. Some further works on Allen's algebra were carried out by [661 135). 
Recently, |94| investigated the relation between Allen's logic and LTL. Interval based-logics 
have been also applied to other fields in computer science. |86l [90l I49| worked on process 
logic, where intervals are used as representation of information. Another important work 
was the development of interval temporal logic (ITL), and its application to design of 
hardware components |781l42j. Since the development of ITL, various variations have been 
proposed so far. In particular. Duration Calculus [16J is an extension of interval temporal 
logic with "a calculus to specify and reason about properties of state durations". 

Temporal Structure: There are important properties regarding the time flow and tem- 
poral domain structure. Some properties are summarized below: 

Assume (T, <) represents a temporal structure, where T is a nonempty time points, and < 
is a 'precedence' relation on T. In a temporal logic the structure of time is linear if any two 
points can be compared. Mathematically, a strict partial ordering is called linear if any two 
distinct points satisfy the condition: Vx, y:x<y\'x = yVx>y. This definition suggests 
that in linear temporal logics each time point is followed by only one successor point. 

Another class is the branching-time structures, where the underlying temporal structure is 
branching-like, and each point may have more than one successor points. The structure 
of time can be considered as a tree. A tree is a set of time points T ordered by a binary 
relation < which satisfies the following requirements 



• 



• 



(T, <) is irreflexive; 
(T, <) is transitive; 

• Vt, u,v €z T u < t and v<t^>-u<v,u = voiu>v (i.e. the past of any point is 
linear) ; 

• Vx, y G T,3z €T such that z < x and z < y (i.e. (T, <) is connected). 

One important characteristics of branching logics is that the syntax of these logics include 
path quantification which allows formulas to be evaluated over paths. However, linear 
temporal logics are restricted to only one path. 

A temporal domain is discrete with respect to the precedence relation < if each non-final 
point is followed by a successor point. This can be formulated as follows: \/x, y {x < y —^ 3z 
(x < z A -<3w{x < w A w < z))) |100| . Majority of temporal logics used for system 
specification are defined on discrete time, where points represent system states. A state 



sequence, as a result of a program execution, can be considered as isomorphic to discrete 
series of positive integers. 

A temporal domain is dense if, between any two distinct points, there is another point. 
This can be formally denoted \/x,y{x < y — ^ 3z(x < z < y)) [lOOj . Above we mentioned 
that flow of discrete time can be represented as positive integers. Similarly, density can 
be represented as real numbers. It is noteworthy to mention that there is a distinction 
between density and continuity: "A model of dense time is isomorphic to a dense series of 
rational numbers, meaning that there is always a rational number between any two rational 
numbers; whereas a model of continuous time is isomorphic to a continuous series of real 
numbers" |105| . 

A temporal domain is hounded above [hounded helow) if the temporal domain is bounded in 
the future (past) time. This can be formulated as follows: 3x^3y{x < y {3x^3y{y < x))) 
|100| . Similarly, a temporal domain is unhounded ahove [unhounded helow) if each point 
has a successor (predecessor) point, which is formally denoted \/x3y{x < y i\/x3y[y < x))) 

UDo]. 

A temporal domain is Dedekind complete if all time point sets (non-empty) are bounded 
above, and they have a least upper bound. 

Based on differences in temporal domain properties logics have different characteristics. 
For example, we can consider a temporal domain which is linear or branched; discrete or 
dense; finite/infinite in future and/or past, etc. All these choices result in different syntax, 
semantics, decidability and complexity. 



3 Real-Time Temporal Logics 

Over the last two decades, temporal logics have been used as a mathematical foundation 
to formally analyse real-time systems. System behaviours are usually expressed in terms 
of a logical formula. Although this depends on the richness of the language, in general, 
temporal logics are very expressive to specify important aspects of the systems. Generally 
speaking real-time temporal logics have been defined for specific purposes. In certain cases, 
temporal logics with a simple syntax are used in order to make them practically feasible. 

Below we give a brief account of well-known real-time temporal logics (summarised from 
|831 IHl [12])- All these logics are different in terms of 'expressiveness', 'order', 'time met- 
ric', 'temporal modalities', 'time model' and 'time structure'. They also have different 
capabilities for the specification and verification of real-time systems. 

3.1 Real-time Extensions of CTL 

In [25] a real-time extension of CTL, called RTCTL, was introduced. RTCTL has "point- 
based strictly- monotonic integer-time semantics" [9]. RTCTL includes a metric for time. 
The satisfiability problem of RTCTL is 2-EXPTIME-complete [25) . The model-checking 
problem is linear |25| . 



[6] introduced the real-time logic TCTL, which extends CTL with hidden clock bounded 
operators. It has "point-based strictly-monotonic real-time semantics" [9]. The satisfiability 
checking of a TCTL formula is undecidable if it is interpreted over dense time domains; but 



the model checking problem still remains decidable [6]. [6] finds that the model checking 
complexity of TCTL is "exponential in the number of clocks, exponential in the length of 
timing constraints, linear in the size of the node-transition graph, linear in the number of 
operators in the formula and exponential in the length of the subscripts in the formula". 
[6] also shows that the upper bound can be improved to PSPACE, and the model check- 
ing problem is PSPACE-complete. j6^ considers the model checking problem of different 
subclasses of TCTL. 

Another branching time logic called TPCTL is introduced in |i47j . TPCTL is a probabilistic 
extension of CTL. The underlying time structure is represented by discrete time. TPCTL 
semantics is defined over non-deterministic probabilistic transition systems. TPCTL can 
express both hard and soft deadline properties, such as 'an error occur with a probability of 
0.1 within 100 seconds'. [47] shows that TPCTL model checking has EXPTIME complexity. 
|11| proves that the model checking problem is polynomial. 

3.2 Real-Time Logic (RTL): 

RTL is a first-order temporal logic, introduced in [56] to reason about events and their 
relations. The logic includes a so-called occurrence function which maps each event to a 
time stamp. Existence of occurrence function allows RTL to express periodic and non- 
periodic real-time properties. 

In RTL, time is measured with an 'absolute' clock whose value can be referenced in a 
formula. RTL is defined over a linear sequence of discrete time points, which are bounded 
in the past, but unbounded in the future. [8] shows that under these semantics RTL is 
undecidable. 

Since absolute clocks are used, and clock values can be explicitly referenced in formulas, 
RTL can be used to express ordering and quantitative temporal constraints. One disadvan- 
tage of this functionality is that using explicit reference to time results in complex formulas 
difficult to understand. For example, the temporal constraint "for each occurrence of an 
event B which happens at a time instant to, the predicates startA and endA hold (marking 
an interval [startA, endA] at which A is true), and the interval [startA, endA] is subsumed 
by the interval [to, to+tf,] (where tQ<startA < endA<tQ+tb)" is specified in RTL as follows 

. yt.yiM{nB,i) = t ^ (3j.(t < @(t a,j)) a (@(i a,j) < t + 4)) 

where ^B denotes the occurrence of the event B, t denotes time, ^ A denotes the beginning 
of the action y4, J, A denotes the completion of the action A, and i and j are the occurrences 
of the events marked with the operator @. Time is captured by the occurrence function @ 
which assigns time values to event occurrences; @{il.B,i) is defined as the time of the i-th 
occurrence of i^B 1831. 



Decision procedures devised for RTL in general are not practical. To increase the efficiency 
some methods were deployed. In [57], RTL formulas are re-structured into "computational 
graphs" using a formalism called "modecharts", which resulted in "an exponential time 
decision procedure (in the worst case)" |i83j . 



3.3 Real-Time Temporal Logic (RTTL): 

RTTL |84l l82] is a first-order explicit clock logic. Discrete linear time points are employed 
as temporal structure. The sequence of time points are bounded in the past, but unlimited 
in the future. In an RTTL formula the clock variable t is explicitly referred. RTTL is a 
first-order logic because any arbitrary quantification is allowed over time variables. As an 
example, "the bounded response time" is expressed in RTTL as follows [83j : 



• nT[{red At = T)^ <){green Ar + 3<t<r + 5)] 

which means that "if the traffic light is red at time T, then eventually within 3 to 5 ticks 
from T the light must turn green". Above t is the clock variable, and T is time variable, 
which is quantified in the formula. 

RTTL provides an explicit reference to clock value and indirect quantification to time values. 
This results in a very expressive language, and allows to write very complex quantitative 
constraints. This makes this logic very useful in real-time system specification. However, 
undecidability is a major problem. In addition, due to explicit clock reference, formulas 
become too complex and difficult to understand. 

In addition to discrete semantics, RTTL formulas can be also interpreted over dense time 
domains. The logic is undecidable in both discrete and dense semantics [8J. The model 
checking in RTTL is also undecidable. RTTL has a sound proof system |82) . 

Some decidable fragments of RTTL are presented in the literature. Some well-known frag- 
ments are as follows: 



XCTL |50| is a propositional fragment of RTTL. It is an explicit clock logic, and it is 
interpreted over discrete time. XCTL has a less restricted quantification than RTTL in 
the sense that time variables can be quantified with only one outermost quantification; but 
the syntax of XCTL allows expressions with arithmetic operations. The satisfiability and 
model checking problems for XCTL with dense time semantics are both undecidable [50] . 
However, these problems are PSPACE-complete for XCTL without quantification |50| . j50j 
provides a "single exponent decision procedure for the validity of XCTL formulas" and a 
"double exponent procedure" for XCTL model checking. 

TPTL [8] is also a propositional fragment of RTTL, which is interpreted over discrete time. 
TPTL allows expressions with arithmetic operations; but this is only allowed for integer 
constants (not for variables). In TPTL explicit reference to clock is replaced by "freezing" 
quantification, and clock values are recorded through "auxiliary static timing variables" [83]. 
The satisfiability and model checking problems for TPTL with discrete time semantics 
are EXPSPACE-complete; but they become undecidable with dense time semantics |5i|. 
[5] presents a doubly-exponential-time decision procedure for TPTL. The model checking 
algorithm for the logic is "exponential on the value of the product of all time constants" 
|83| . [2 shows that if past operators are added to the logic, the satisfiability problem for 
TPTL becomes non-elementary. [52] proves that there is a complete finite axiomatization 
for TPTL with discrete time semantics. 

3.4 Metric Temporal Logic (MTL): 

MTL [61j is a propositional bounded-operator logic, which is a fragment of RTTL such 
that time references are added to temporal operators ('until', 'next' and 'since'). In MTL 
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explicit reference to clock is not allowed, which makes the logic more practical because 
quantifications on a temporal domain are no longer needed. For example, the formula 
A — )• 0<io-S asserts that if A occurs then B occurs within 10 time units. 

MTL is interpreted over linearly ordered discrete time points. In ^61j . dense time domain 
is assumed. This allows MTL to express properties which cannot be precisely expressed 
in discrete-time domain, such as variables based on continuous time (e.g temperature and 
pressure) |83] . 

[1] states that both the satisfiability and model checking problems for MTL over dense 
time domain are undecidable, but a deductive proof system exists. f8] also shows that in 
case of discrete time they reduce to EXPSPACE-complete. [8j also introduces a decision 
procedure for MTL over discrete time domain, which has 2-EXPTIME complexity, and a 
model checking algorithm, which is exponential on the value of the largest time constant. 
[61) provides a sound axiomatic system for MTL. In |48) it is shown that XCTL and MTL 
cannot be compared; namely, for both logics, there is a property which is expressible in 
one logic, but not in the other |83| . However, in case of discrete time, "TPTL and MTL 
are equally expressive (it is shown that this is not valid in dense domains [52])" [83) . [85) 
finds that "the satisfiability problem for MTL over finite timed words is decidable, with 
non-primitive recursive complexity". 

In |j7j MTL is restricted to "interval-based strictly-monotonic real-time semantics". This 
logic is called MITL, which uses operators with bound. In MITL point intervals are not 
allowed. For example, the formula 0(^—7- [3,319) is not a valid formula because equality 
constraints are not allowed [9]. MITL cannot formalise punctuality propertieqj- Unde- 
cidability of logics interpreted over dense time is related to punctuality properties [^. [^ 
shows that the satisfiability and model checking problems for MITL were shown to be 
EXPSPACE-complete. There is also a model checking algorithm, which is 2-EXPTIME. 

Recently, |85| l68] showed that restricting MTL to positive-length intervals is not necessary 
to achieve the decidability. They show that "MTL over finitary event-based semantics" are 
decidable without this restriction. [71) compares the past and future fragments of MITL 
with respect to the "recognizability of their models by deterministic timed automata". The 
authors show that "timed languages specified by the past fragment of MITL, can be accepted 
by deterministic timed automata; but certain languages expressed in the future fragment 
of MITL are not deterministic." 

3.5 Real-Time Interval Logic (RTIL): 

RTIL [92] is a real-time interval logic with metric for time. RTIL a propositional logic which 
allows to assign numerical values to interval bounds and to measure interval durations. It 
also allows quantification over finite domains. Time points can be specified explicitly or 
relative to the beginning of the interval [12] . These characteristics make RTIL to be useful 
in formalise specifications in a neater syntax. 

The specification in Section [3.21 is specified in RTIL as follows [12] : 

• □ [qB ^ tb]* {QstartA =^ QendA) 



"^A punctuality property states that the event B follows A in exactly t seconds; for any formal language 
that can express punctuality, the satisfiability problem is undecidable for a dense time domain [83J . 
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where 0^ extracts the time point at which A becomes true, and the operator* means there 
exists a subintervah 



3.6 Temporal Interval Logic with Compositional Operators (TILCO): 

TILCO |73l [71] is an extension of first-order logic with temporal operators, which do not 
have explicit temporal quantification. TILCO is an interval logic; that is, the logic is 
interpreted over linear intervals. 

TILCO can specify events and their relations (e.g. ordering, delay, etc.) in either qualitative 
or quantitative manner. Namely, end points of an interval at which an action or an event 
holds can be specified with respect to that of other events of actions; in addition, this can 
be done with an absolute numerical measure. This makes TILCO a very expressive logic, 
and very useful to specify complex behaviours of real-time systems. 

Since TILCO is an interval-based logic, it is more natural to specify temporal constraints 
with time bounds. Therefore, TILCO is very efficient to express "invariants, precedence 
among events, periodicity, liveness and safety conditions, etc." |12| . 



The specification in Section 13^2] can be expressed in TILCO as follows [T2] : 
• B ^ endA7{0,tb) A -^until{endA, ^startA) 

where ? denotes universal temporal quantification. 

|73t [75] provides a sound sound deductive system. This proof system is used along with 
the Isabelle theorem prover [87| to provide an automatic proof tool for TILCO. The logic is 
unsurprisingly undecidable, because it extends the first-order logic. However, a decidable 
subset can be obtained if we restrict ourselves to quantifications on finite sets. 

4 Probabilistic Logics 

Probabilistic reasoning has been the subject of computer science for a long time. There is 
an extensive study about formal systems with uncertainty. There are two main approaches: 
extending classical logic with probabilistic operators (such as modal logic of knowledge in 
|27|); combining probabilistic approach with non-classical logics (probabilistic extension of 
intuitionistic logic |72]). Below we review well-known probabilistic temporal logics. 

4.1 Probabilistic Temporal Logics 

4.1.1 The Logics PCTL and PCTL* 

Probabilistic Computation Tree Logic, PCTL |45l 146] . is a probabilistic extension of the 
branching time temporal logic CTL [20j. PCTL is interpreted over discrete-time Markov 
chains. Each transition in a path corresponds to one time step. The path quantifiers in 
classical branching-time temporal logics are replaced with probabilities. Namely, universal 
and existential quantification over paths is a subset of probabilistic quantification. PCTL's 



probabilistic operator provides a more general quantification, because as well as expressing 
a property is true at all/some paths, we can also express a property is true at more than 
50% of the paths. 

PCTL is very convenient to specify so-called soft deadline properties, e.g. "after a request 
for a service, there is at least a 98% probability that the service will be carried out within 
2 seconds" |46) . Soft deadline properties are important in real-time system specification. 



Some real-time requirements are specified in PCTL as follows [46j : 
. (i) VD/ = fU§^ false (ii) 30 f = trueU^^f. 

where fihl^ff2 asserts that "there is at least a probability p that either /i will remain true 
for at least t time units, or that both /2 will become true within t time units and that 
/i will be true from now on until /2 becomes true"; and /iC^>f/2 asserts that "there is at 
least a probability p that both /2 will become true within t time units and that /i will be 
true from now on until /2 becomes true" |46j. Therefore, "VD/ intuitively means that / is 
always true (in all states that can be reached with non-zero probability)", and "3<^/ means 
that there exists a state where / holds which can be reached with non-zero probability" 

Eel. 



6] presents a model checking algorithm for PCTL, which is polynomially bounded by the 
size of the formula and the Markov chaiiT^ model. 



|10j defines another probabilistic variant of CTL [20j . This new logic is called PCTL *, which 
can specify quantitative probabilistic properties of systems, modelled as discrete Markov 
processes^. |i20j also extends discrete Markov processes to generalized Markov processes^, 
where transition probability function is not total. Generalized Markov processes are con- 
venient to model "abstraction" and "refinement". |10) also presents an elementary model 
checking algorithm for PCTL* over discrete Markov processes, which is then extended for 
generalized discrete Markov processes. This algorithm can also be used to determine the 
satisfiability of PCTL* formulas. In fact, |10j shows that the decision problem for PCTL* 
formulas on generalized Markov processes is decidable. However, no efficient computational 
method is given for this problem. In addition, no sound and complete axiomatisation of 
the logic is given. 



|14) shows that model-checking algorithms for extensions of PCTL and PCTL* to probabilistic- 
nondeterministic models have a polynomial-time complexity in the size of the model, which 
is same as the model checking complexity on Markov chains |45l l46l llOj . This result shows 
that adding nondeterminism does not increase model checking complexity in the size of the 
model. When we consider time bounds expressed in terms of the size of the formula, the sit- 
uation is different. The model checking complexity of PCTL is linearly bounded in the size 
of the formula for both Markov chains and probabilistic-nondeterministic systems. How- 
ever, while model checking complexity of PCTL* on Markov chain is exponentially bounded 



^A Markov chain is a tuple {S,P) where 5 is a set of states and P : 5* x 5* — > [0,1] is the transition 
ability matrix such that (Vs G S) X^^/gg P{s,s') = 1 [91| . 
A (finite) Markov process is a 4-tuple {AP, S, P, £), where AP is a finite set of atomic propositions, S 
is a countable nonempty set of states, P : S x S ^ [0,1] is the transition probability function such that 
(Vs e S) Es'GS -P(s> s') = 1 &nd C : S -^ 2^'" is a labeling function [1Q\ 

^A generalized Markov process is a 3-tuple {AP, S, C) (where AP, S and C are defined as in Markov 
processes) and a finite set of constraints on the transition probabilities [10]. 



in the size of formula, it is in double exponential time on probabilistic- nondeterministic sys- 
tems. 



4.1.2 The Logic PTCTL 

A probabilistic extension of the real-time branching logic TCTL is defined in |65) . The logic 
is called PTCTL, which combines both the logics TCTL and PCTL. PTCTL can formalize 
properties such as 'with a probability higher than 0.9 the message is delivered within 5 
seconds'. This can be expressed in PTCTL as follows: Pyo,g[true U- rev]. PTCTL 
includes a set of clock variables in its syntax in order to specify timing properties. 

Since PTCTL is a probabilistic extension of TCTL, PTCTL is also an undecidable logic. 
|65| shows that the model checking problem is "polynomial in the size of region graph and 
linear in the size of formula". It follows that the model checking problem is EXPTIME 
due to the size of region graph. [58j shows that the model checking problem is EXPTIME- 
complete. [58) also considers the model checking problems of some subclasses of PTCTL. 

4.1.3 The Logic PLTL 

A propositional probabilistic discrete-linear temporal logic, called Probabilistic Proposi- 
tional Temporal Logic (PLTL), is introduced in |80| . PLTL allows probabilistic reasoning, 
which is extended with temporal aspects. The logic is interpreted over linear time points, 
and includes standard temporal operators, such as 'next', 'until', 'sometime' and 'always'. 
PLTL can express sentences such as "(according to the current set of information) the 
probability that sometime in the future a is true is at least n" |80) . 



Given that Q), ■(} and D are the 'next', 'sometime' and 'always' operators, respectively, and 
Pr^a (~G {<) <) =) ^1 >}) is a probabilistic operator, an example of a PLTL formula is [80] 

. OP>rP A OP<s{p ^q)^ nP=tq 

which aserts "if the probability of p in the next moment is at least r and sometime in the 
future q follows from p with the probability less than s, then the probability of q will always 
be equal to t" [80] . 



[80| analyses completeness, decidability and complexity of the logic PLTL. It describes a 
class of so-called 'measurable models'. It is proved that "PLTL restricted to the class of 
all measurable models (PLTLMeas)" has a sound and complete (infinitary) axiomatisation. 
The term infinitary means that the language and formulas are finite, but proofs can be 
infinite (The completeness cannot be proved with finitary axiomatisation). [80] shows that 
"a PLTLftfeas-satisfiable formula is satisfiable in an ultimately periodic model in which 
various parameters are bounded by functions depending on the size of the formula". [80j 
also shows that "the satisfiability problem for PLTLMeas is PSPACE-hard, and that it 
belongs to NEXPTIME". 

In [80| also introduces First-order Probabilistic Temporal Logic (FOPLTL), which is the 
first-order version of PLTL. The complete infinitary axiomatisation is extended for the logic 
FOPLTL (No complete finitary axiomatisation is possible). The set of all FOPLTL- valid 
sentences is not recursively enumerable |,33j . 
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4.1.4 The Logics PTLf and PTL 



|51| introduces two probabilistic branching time temporal logics PTLj and PTLf,, which 
are interpreted over finite Markov chains and stochastic processes, respectively. PTLf and 
PTLh can express properties, such as "invariant and liveness without explicit reference to 
the values of the transition probabilities" [51] . PTLf is a suitable logic for the specification 
of sequential programs. PTL^ is an extension of PTLf, which can be used to reason about 
concurrent programs. 

To show the syntax of the logics, let us consider the formula p \/Uq. This formula asserts 
that "along all paths w starting with the initial state and consisting only of transitions with 
nonzero probability, p holds at all states of w up to the first state, if any, at which q holds" 

EH. 



The satisfiability problems of PTLf and PTLf, are decidable. [51] provides an EXPTIME 
decision procedure based on the tableau techniques of [13j and [19j. [51j provides proof 
systems for both logics. The paper also shows that PTLf, does not have a finite-model 
property, and there is a connection between "satisfiable formulas of PTLf^ and finite state 
concurrent probabilistic programs". 

In literature, we can find similar formal systems to PTLf and PTLf,. [88] proposes a linear 
time probabilistic logic to reason about concurrent probabilistic programs; but it is not a 
complete logic. |69) introduces a similar logic which is more expressive than PTLb; but its 
decision procedure is less efficient. |22) determines "the complexity of testing whether a finite 
state (sequential or concurrent) probabilistic program satisfies its specification expressed in 
linear temporal logic LTL". [22j shows that this problem is decidable and it is in PSPACE. 
|22j also provides an EXPTIME procedure for sequential programs. This is a more efficient 
method than that of PTLf and PTL^. For concurrent programs it is shown that the 
problem is complete in 2-EXPTIME. 

4.1.5 The Logic PDC 

The Probabilistic Duration Calculus {PDC) [70j is an extension of Duration Calculus [17J 
with probabilities. PDC allows us to reason about probabilistic systems, and enables to 
express requirements such as a property holds with a certain probability. In PDC the 
system model is described as a finite automaton with fixed transition probabilities, which 
actually defines a discrete Markov process. The main idea is described in [70J is to express 
properties in DC, define satisfaction probabilities for formulas, and define a calculus to 
calculate the probability of a formula from its subformulas' probabilities. 

PDC satisfiability is described in |70) as follows: "Consider some finite probabilistic timed 
automata A. The behaviours of A can be represented as a set of M of DC models. The 
probabilistic principles that manage the working of A used to introduce probability on the 
subsets of M. Given a DC formula D, the term Tr{D){t) denotes the probability of those 
models from M that satisfy D at the interval [0,t]. A term of this sort is the component 
of PDC language" |70j . An example PDC formulas is given below: 

• -Ksoiitrue; \s'\);{\s''\;true)){t) = 
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In |70) PDC is interpreted over discrete time; i.e. discrete transitions are assumed in models, 
defined as probabifistic time automata. In a later work, [54j , PDC was defined for the case 
of continuous time, in which transitions in probabilistic automata take place in continuous 
time. In this logic, properties are written in terms of DC formulas. "Implementations of 
given requirements are modelled by continuous semi-Markov processes with finite space, 
which are expressed as finite automata with stochastic delays of state transitions (such 
an automaton is called continuous time probabilistic automaton)" |54) . [54j also defines a 
probabilistic model for DC formulas and a set of axioms/rules to calculate the satisfaction 
probabilities of DC formulas with respect to probabilistic automata. To our best knowledge, 
there is no complete proof system for PDC. As for the decidability, PDC is, not surprisingly, 
an undecidable logic. 



|55| defines the logic Simple Probabilistic Duration Calculus (SPDC), which is another prob- 
abilistic extension of Duration Calculus. The syntax of SPDC allows us "to reason about 
the probability of the satisfaction of a duration formula by a probabilistic timed automaton 
as well as to specify real-time properties of the system itself". SPDC is interpreted over 
behavioural models^, proposed in [64], which are variant of probabilistic timed automata. 
|55| proposes a model checking technique which is an extension of the technique introduced 
in |101| "to check if a timed automaton satisfies a DC formula in the form of linear duration 
invariants or discretisable DC formulas based on searching the integral reachability graph 
of the timed automaton" |55j . The model checking problem is decidable "for a class of 
SPDC formulas of the form linear duration invariants, or a formula for bounded liveness" 



4.1.6 The Logic PNL 

|4Q) introduces the Probabilistic Neighbourhood Logic (PNL), which extends Neighbour- 
hood Logic. |40| provides a complete proof system by extending the proof system of NL. 
In PNL, a more generalised version of probabilistic timed automata (defined in |54| ) is 
assumed. 

PNL has a similar grammar to the logic NL. It contains duration operators and proba- 
bilistic operators. The function symbols take a duration as argument and return a term 
of the probability. We now consider an example. Let b denote a formula which is true 
at any interval between two consecutive processes. The following formula expresses "the 
assumption that the probability for the duration of such a period to be no bigger than x is 
a function of x which is the interpretation of the function symbol F in the model" | l41j : 

• p{bAi<x = F{x)) 

PNL has the same expressive power with PDC, except for state expressions and their 
durations. Since PNL is an extension of NL, it is an undecidable logic. 



A behavioural model is a variant of probabilistic timed automata, where probabilistic transitions are 
discrete. "To resolve the nondeterminism between the passage of time and discrete transitions they use the 
concept of adversary which is essentially a deterministic schedule policy. Then, the set of executions of a 
probabilistic time automaton according to an adversary forms a Markov chain, and hence the satisfaction 
of a probabilistic CTL formula by this set can be defined, and then based on the region graph of the timed 
automaton the satisfaction of a probabilistic CTL formula by the timed automaton can be also verified" 

m- 
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4.2 Probabilistic Dynamic Logics 

Since Kozen's definition of formal semantics of probabiUstic programs [62j, some work 
has been done in this direction. Several systems have been introduced to formally study 
probabilistic programs. In particular, probabilistic dynamic logics received considerable 
attention. Some historical development in this area is given below: 

In [31], Feldman and Harel introduced a first-order probabilistic dynamic logic, called 
Pr(DL), which can express properties of probabilistic programs. The syntax of this logic is 
similar to that of Pratt's first-order dynamic logic |89| . The semantics of Pr(DL) is based 
on extension of Kozen's formal semantics of probabilistic programs |62| . |31j provides a 
complete proof system for Pr(DL) relative to first-order analysis. [31] shows that for dis- 
crete probabilities the logic reduces to first-order analysis with integer variables. Since the 
underlying theory is highly undecidable, the logic Pr(DL) is also undecidable. 

On propositional level, the well-known logics are Feldman's P-Pr(DL) [29j and Kozen's 
PPDL |63| . |29| defines the logic P-Pr(DL), which is a propositional fragment of the first- 
order dynamic logic Pr(DL). P-Pr(DL) has many important characteristics of Pr(DL), such 
as "the ability to use full first-order real-number theory for dealing with probabilities, and 
deterministic regular programs, while still being decidable" |29| . Neither the complexity of 
the decision procedure, nor a proof system is provided. 

In |63| a probabilistic analog PPDL of Propositional Dynamic Logic is introduced. [63] 
proves the finite model property by showing that models can be reduced to an equivalent 
finite model with a bound on the number of states. A polynomial-space decision procedure 
is given to decide the validity of programs. |63] also provides "a deductive calculus" and 
shows its usefulness on an example program. 

In |30| a Propositional Dynamic Logic with explicit probabilities is introduced. The lan- 
guage allows formulas of propositional probabilistic programs, where probabilistic operators 
are applied in a limited form. [SOj provides a 2-EXSPACE decision procedure for the logic 
by reducing it to "the decision problem of the theory of real closed fields". 

|97| introduces a family of propositional calculi of qualitative probabilities {QP) with one 
binary operator <. < intuitively means "at least as probable as". Given that ip and %[) are 
two arbitrary QP formulas, ^p < ip means that "the probability of (p is not greater than the 
probability of ip" [39j. [97j presents a complete deductive system for QP, and shows that 
QP is decidable. 

|39| extends QP with "many <-operators and operations among them that are analogous 
to the operations of composition, union, and iteration on modal operators known in propo- 
sitional dynamic logic". The resulting logic [DQP) allows us to reason about probabilistic 
processes. The formula w \= (p <t ip intuitively means that "the probability for a transition 
(experiment) t to transform w into a possible world that satisfies (p is smaller or equal 
to the probability for t to transform w into a possible world that satisfies ^" }39| ■ An 
cj-complete proof system is presented for DQP in |39j, which requires to build an infinite 
canonical model. This implies that DQP is undecidable. 

4.3 Probabilistic Mu-Calculus 



|21| presents the logic Generalised Probabilistic Logic (GPL), which is a Mu-Calculus-based 
modal logic, in order to reason about "reactive probabilistic labelled transition systems 
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(RPLTSs)". An RPLTS structure includes (probabilistic) transitions and (nonprobabilistic) 
actions, where nonprobabilistic actions are chosen externally, in contrary to Markov decision 
processes where nonprobabilistic choices are done internally. 

To show the syntax of GPL, we consider the following example: P>i{i'X.(j) A [.][.]X) infor- 
mally means that "it is almost always true that (j) holds at all even time instants" ([.](/> = 
AaeAcJ^]*!^' where Act denotes a set of actions) |21j . 

GPL can be considered as a framework to define temporal logics on reactive models. GPL is 
an expressive logic. Some standard probabilistic (modal/temporal) logics, such as PCTL*, 
are subsumed by the logic GPL. |21) presents a model-checking algorithm which employs 
techniques to solve non-linear equations. 

4.4 Probabilistic Instuitionistic Logics 

A probabilistic extension of propositional instuitionistic logic is introduced in [72], where 
a view of instuitionistic logic is described as "in addition to propositions which are proved 
to be true and those which are proved to be false, there is a third class of propositions 
which may turn out either way and intuitionism allows us to reason about them". The 
propositional instuitionistic language is enriched with probabilistic operator, resulting in 
the operator P>nC(, which informally means that "the probability of truthfulness of a is 
at least n" |72| . The logic does not allow nested probabilistic operators. Probabilistic 
instuitionistic logic is interpreted over a combined model of instuitionistic Kripke models 
and probabilities. |72) proves that the logic is decidable, and presents a sound and complete 
proof system. 

4.5 Probabilistic Logics with New Types of Probability Operators 



|81| introduces a family of probabilistic logics, called LPp^q^q^ with new types of proba- 
bilistic operators, which have the form Qp, where "F is a set from a recursive family O of 
recursive rational subsets of [0, 1]". Qpa states that the probability of a is within the set 
F. The authors assume the so called measurable models, different from probabilistic models 
based on Kripke structures. 

LPp^Q^O^s unique operator Qp can specify richer probabilistic expressions, which cannot be 
expressed by standard probabilistic logics, such as PGTL, because operator Qp cannot be 
translated into P>-like operators. For example, assume the model describes tossing a coin 
finitely many times. Given that a means that 'it comes up heads', and F = {g, o?) oS'' •••} 
|81| . Clearly, Qpa is true in the model. However, Qpa cannot be expressed in classical 
probabilistic logics, such as PCTL, because Qp cannot be translated into P>-like operators. 

The choice of the family O of recursive rational subsets of [0, 1] appearing in Q is very 
important, because this choice determines the language of the logic. The choice is also 
important for the decidability and expressiveness of the resulting logic. Although the logic 
LPp^Q^O is not decidable in general, |81) provides a sublanguage which is shown to be 
decidable. |81j also provides a sound and complete axiomatic systems for LPpqo- 
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4.6 Probabilistic Logics for Reasoning About Knowledge and Uncer- 
tainty 

Halpern et. al., in a series of articles, studied reasoning about knowledge and probability. 
In |28) a language is defined which can express statements such as "the probability of Ei 
is less than 1/3 and the probability of Ei is at least twice the probability of £'2", where 
El and E2 are events. [28] considers both the situations where all events are measurable 
or all events are nonmeasurahle (i.e. events that are not assigned a probability). A sound 
and complete proof system is presented for both measurable and nonmeasurable cases. The 
satisfiability problem is NP-complete for both cases. 

Some related works to that of [28] is as follows: [36\ presents a less expressive logic, which 
is shown to be NP-complete. The measurable case of the logic proposed by [28j can be 
considered as a fragment of the Probabilistic PDL by [30] • |63| also considers a Probabilistic 
PDL, which is PSPACE-complete; but this logic is not closed under Boolean combination, 
and it does not allow nonlinear combinations. 

[26j introduces a new approach to deal with uncertainty. Namely, it does not require assign- 
ing a probability value to every event. For nonmeasurable events the paper considers the 
inner measure and outer measure of events. The paper states that "inner measures induced 
by probability measures turn out to correspond in a precise sense to Dempster-Shafer belief 
functions [98]; hence, in addition to providing promising new conceptual tools for dealing 
with uncertainty, this approach shows that a key part of the important Dempster-Shafer 
theory of evidence is firmly rooted in classical probability theory." 

|27| presents a probabilistic logic which is an extension of the logic defined in |28| (which 
is itself a formalisation of Nilsson's probability logic [79]). Indeed, the logic of [27] is a 
probabilistic extension of the logic of knowledge, which can express the statements such as 
"according to agent t, formula ip holds with probability at least b" [28] . The language allows 
one to compare the probabilities of events for each agent. |27| provides a complete proof 
system. It proves the decidability through some decision procedures. |27| also considers 
the extended language with "common knowledge and a probabilistic variant of common 
knowledge". 

[1] analyses decidability and expressiveness of probabilistic first-order logics. It is shown 
that for discrete probabilities such logics are undecidable. If arbitrary probability distribu- 
tions are assumed, the situation becomes even worse. Not surprisingly, sound and complete 
proof systems are not available for such logics. [I] shows that for the following cases com- 
plete axiomatic systems can be found: "the language consists only of unary predicates and 
the case where we restrict to bounded domains; in particular, when combined with the 
standard axioms for reasoning about first-order logic, the axioms for reasoning about prob- 
abilities over the domain are complete for a language if it contains only unary predicates; 
when combined with axioms for equality and an axiom that says that the domain has 
at most n elements, the axioms are complete for the language if we restrict attention to 
domains with at most n elements." 



5 Conclusion 

In this paper we have analysed well-known real-time temporal logics and probabilistic tem- 
poral logics. We extrapolated the notions of decidability, axiomatizability, expressiveness, 
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model checking, etc. for each logic analysed, whenever possible. For a comparison of 
features of the temporal logics we discussed see Table 1. Note that we use the following 
abbreviations: No*: Undecidable in general, but decidable for some fragments or specific 
cases; No**: No deduction system in general, but available for some fragments or specific 
cases; No***: No model checking algorithm in general, but available for some fragments 
or specific cases; Yes*: Decidable for some time domains; Yes**: Available for some time 
domains; Yes***: Available for some time domains. 
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Table 1: A comparison of features of temporal logics. 



^ 



Logic 


Logic Order 


Fund. Entity 


Temp. Struc. 


Metric for Time 


Decidability 


Deductive Sys. 


Model Checking 


TCTL 


Prepositional 


Point 


Branching 


Yes 


No 


? 


Yes 


RTCTL 


Prepositional 


Point 


Branching 


Yes 


Yes 


? 


Yes 


TPCTL 


Prepositional 


Point 


Branching 


Yes 


Yes 


? 


Yes 


RTL 


First-order 


Interval 


Linear 


Yes 


No* 


No 


No*** 


RTIL 


Prepositional 


Interval 


Linear 


Yes 


Yes 


No 


? 


RTTL 


First-order 


Point 


Linear 


Yes 


No 


Yes 


No 


TPTL 


Prepositional 


Point 


Linear 


Yes 


Yes* 


Yes** 


Yes*** 


MTL 


Prepositional 


Point 


Linear 


Yes 


Yes* 


Yes 


Yes*** 


MTIL 


Prepositional 


Interval 


Linear 


Yes 


Yes 


? 


Yes 


XCTL 


Prepositional 


Point 


? 


Yes 


Yes* 


? 


Yes*** 


TILCO 


First-order 


Interval 


Linear 


Yes 


No* 


Yes 


No*** 


PCTL 


Prepositional 


Point 


Branching 


No 


Yes 


? 


Yes 


PCTL* 


Prepositional 


Point 


Branching 


No 


Yes 


? 


Yes 


PLTL 


Prepositional 


Point 


Linear 


No 


No* 


No** 


No 


PTLf 


Prepositional 


Point 


Branching 


No 


Yes 


Yes 


? 


PTLb 


Prepositional 


Point 


Branching 


No 


Yes 


Yes 


? 


PDC 


First-order 


Interval 


Linear 


Yes 


No 


7 


? 


PNL 


First-order 


Interval 


Linear 


Yes 


No 


Yes 


? 
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